Lookup match_type WILDCARD not working

atownson · ‎04-08-2020

Greetings experts,

I have an alert configured to output the search results to a lookup file. And I need to be able to match one of the fields with a wildcard. The process seems straightforward enough, but my search using the lookup is matching the literal wildcard character (*) instead.

Here's what I have so far.

Simplified scheduled alert search that populates the lookup:
* | eval MachineNodeWildcard=Machine."-*"

Lookup definition (transforms.conf on search head):

[machines]
batch_index_query = 0
case_sensitive_match = 0
filename = Machines.csv
match_type = WILDCARD(MachineNodeWildcard)
max_matches = 1000
min_matches = 0

CSV file sample (with header):

host,"_time",Machine,MachineNodeWildcard
host1,1586334808,machineA,"machineA-*"

SPL using lookup (host is returned null):
| makeresults | eval MachineNodeWildcard="machineA-1" | lookup machines MachineNodeWildcard OUTPUT host

This SPL works but isn't what I need (host is resolved):
| makeresults | eval MachineNodeWildcard="machineA-*" | lookup machines MachineNodeWildcard OUTPUT host

There are several other inquiries about wildcard fields in lookups, but I was unable to find a suitable solution from them. Thank you.

Lookup match_type WILDCARD not working

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

Lookup match_type WILDCARD not working

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions